Expel said that Poisonseed has found a smart skill to bypass this crucial step. While the user enters the username and password in the fake -site site, a poisonseed team member enters them in a real OKTA login page in real time. While the post on Thursday was further explained:
In the case of this attack, the bad actors have introduced the correct username and password and have requested to register the cross-device. The login portal shows a QR code, which immediately records the phishing site and goes back to the user on the fake site. The user scans it with his MFA authenticator, the login portal and the MFA authenticator communicate and the attackers are inside.
This process – while apparently complicated – effectively bypasses all the protection that a Fido key grants, and gives the attackers access to the account of the compromised user, including access to applications, sensitive documents and tools that offers such access.
How Fido makes such attacks impossible
The end result, said the security company, was an opponent-in-the-middle attack tampered with the QR code process to bypass Fido MFA. As noted earlier, writers of the FIDO specifications expected such attack techniques and built defenses that make them impossible, at least in the form described by Expel. If the targeted OKTA MFA process had followed the Fido requirements, the logging in would have failed for at least two reasons.
Firstly, the device that provides the hybrid form of authentication should be physically close enough to log in to the attacker for the two to connect via Bluetooth. Contrary to what Expel said, this is not 'an extra security function'. It is mandatory. Without this, the authentication will fail.
Secondly, the challenge that the hybrid device should sign, bound to the domain of the fake site (here Okta[.]Inpatiency[.]com) and not the real okta.com domain. Even if the hybrid device wax In the vicinity of the attacker, the authentication would still fail because the URLs do not match.
What EXPEL seems to have encountered is an attack that Fido MFA has reduced with a weaker MFA form. This weaker authentication was very likely to be comparable to those used to log in to a Netflix or YouTube account on a TV with a phone. Assuming this was the case, the person who managed the Okta logpage of the organization should have deliberately choosing to allow this fallback to a weaker form of MFA. As such, the attack is more accurately classified as a Fido -Downgrade attack, not bypass.
